审核特定区域中的特定 Azure DNS(Azure 策略)

【问题标题】:Audit for specific Azure DNS in a specific region (Azure Policy)审核特定区域中的特定 Azure DNS(Azure 策略)
【发布时间】:2021-09-18 17:34:16
【问题描述】:

我想要一个 Azure 策略,用于审核目标区域中的特定 Azure DNS。两者都应该在一个数组中可用,以便策略可以多次限定范围。

到目前为止,我已经得到了这个,它不起作用,因为它通过设置正确的 DNS 使状态符合要求,但完全忽略了数组中指定的区域。我的目标是对两者进行政策合规性检查。

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/virtualNetworks"
        },
        {
          "anyOf": [
            {
              "value": "[if(empty(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers')), bool('false'), equals(length(intersection(parameters('dnsSettings'), field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers'))), length(parameters('dnsSettings'))))]",
              "equals": false
            },
            {
              "value": "[if(empty(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers')), bool('false'), equals(length(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers')),length(parameters('dnsSettings'))))]",
              "equals": false
            }
          ]
        },
        {
          "not": {
            "allOf": [
              {
                "field": "location",
                "in": "[parameters('location')]"
              }
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "dnsSettings": {
      "type": "Array",
      "metadata": {
        "displayName": "dnsSettings",
        "description": "Audit for specific DNS settings."
      }
    },
    "location": {
      "type": "Array",
      "metadata": {
        "displayName": "Location",
        "description": "Choose specific location",
        "strongType": "location"
      }
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effects",
        "description": "Enable or disable the execution of the Policy."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  }
}

【问题讨论】:

    标签: json azure azure-policy


    【解决方案1】:

    我们可以使用逻辑操作很少的auditIfNotExists,这样只有在成功代码之后才允许,下面的示例是为了理解。

    {
    "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
    },
    "then": {
        "effect": "auditIfNotExists",
        "details": {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "existenceCondition": {
                "allOf": [{
                        "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                        "equals": "Microsoft.Azure.Security"
                    },
                    {
                        "field": "Microsoft.Compute/virtualMachines/extensions/type",
                        "equals": "IaaSAntimalware"
                    }
                ]
            }
        }
    }
}

    下面是我们可以指定dns的方式,添加dns的示例:

    {
    "mode": "All",
    "name": "Deny changing VNet DNS settings from pre-defined value",
    "description": "This Policy will prevent users from changing DNS settings on a VNet",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Network/virtualNetworks"
                },
                {
                    "anyOf": [
                        {
                            "value": "[if(empty(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers')), bool('false'), equals(length(intersection(parameters('dnsSettings'), field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers'))), length(parameters('dnsSettings'))))]",
                            "equals": false
                        },
                        {
                            "value": "[if(empty(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers')), bool('false'), equals(length(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers')),length(parameters('dnsSettings'))))]",
                            "equals": false
                        }
                    ]
                }
            ]
        },
        "then": {
            "effect": "auditIfNotExists"
        }
    },
    "parameters": {
        "dnsSettings": {
            "type": "array",
            "metadata": {
                "displayname": "Enforced DNS Settings",
                "description": "Users will be unable to change the DNS settings on a VNet from the values defined in this array."
            }
        }
    }
}

    检查AzurePolicy.jsonAzurePolicy.rules.json 以了解在应用程序规则中允许标准 dns。在其中包含位置设置。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2020-01-21
      • 2021-11-05
      • 2020-06-14
      • 2021-09-14
      • 2021-12-06
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode